COVID-19: Working from home, things to consider as a Small/Medium Business Owner

April 7, 2020 Willem
Off
Information, Tips and Tricks
Share this Post

We hope you’re staying safe during this lock-down.  To help guide you and your business through these unprecedented times, we’ve created a basic guideline on things you can implement to increase your cyber security standing.

Because of the increased demand for people to work remotely from their personal devices, this has opened up some security risks that may be exploited. If one’s personal device is compromised, this will give outsiders access to their work station (if you are automatically connecting via a VPN or Remote Desktop Session) and thus the company data. Let’s begin;

Monitoring & Anti-Virus/Anti-Malware Protection 

But I only use my PC for YouTube and Facebook-ing?

So you’ve set up all your employee’s to work from home. They’re connecting to the Work Network, or using a Remote Desktop Session to access their workstations. Maybe both. One concern is the security of all the PC’s working from outside of the office. Because you do not know the setup of every employee’s PC from home, you should consider installing some form of Anti-Virus or Anti-Malware Protection. We use Webroot, but other endpoint protection program’s that suffice could be Kapersky, ESET32, or Avast. This won’t be the be-all end-all of protection, but it is a good start to scan every PC and find out what thing’s may be lurking in the background. 

Yes, these endpoints are usually used to very basic things, such as browsing the web or maybe typing up a few documents. However you have no idea what potentially malicious programs (or App’s!) have been installed in the background. Unfortunately the reality is that not a lot of users have the ability to distinguish the good from the bad when it comes to accepting or installing things. Not to point fingers, it’s an honest mistake. With Malware becoming increasingly more compelling, with hackers and scammers alike employing sneakier tactics to get unsuspecting people to sign up or install something.
 
Thus, safety is a top priority in these times, and protecting each and every workstation connecting to your work network is vital. There are unfortunately many avenues of attack for hackers to use, and ill-maintained personal PC’s are a large one.  

The next point of concern is the connection to your VPN itself.  

Two-Factor Authentication 

Man, it’s so annoying having to use this “2FA” business

I mean, it is. Gone are the days of simple passwords (password123?) and auto-fill login’s (yes, they still exist in the realm of Social Media). Now we want phrases, a mixture of uppercase, numbers, characters…..you get the gist. We’ll get to that later. The bottom line is, as computational power grows, the time it takes for a password to be broken lessens. Enter: “2 Factor Authentication”.

Let’s get the basics out of the way first. What is 2 Factor Authentication? It’s authentication through two steps. To expand a little bit more, it’s two avenues you use to access your information. Think of it as two locks with two separate keys. You can have the key to one lock, but without the other key, it’s essentially useless. That’s what “2FA” (abbreviated) is.

Typically this comes in the form of a 6-digit code, one which expires every 30 seconds. However there’s a few ways to do this;

  • 6-Digit code using a PIN and Secret Key;
  • 6-Digit code on a 30 second timer;
  • A notification in which you “Accept” or “Decline”;
  • A text message with a code (any number of digits), usually times out in a few minutes; or
  • A call.

The order in which those are listed is intentional, with the most robust being at the top. Why? A brief explanation may help you;

To start off with, the 6-Digit codes are very hard to get a hold of. They are almost always connected to a single device (be it a mobile phone or Key Fob) and scramble themselves every 30 seconds (or other, depending on your setup). That gives hackers a very small window of time to grab the code and enter it before it expires. And how are they going to do that? (There are ways, but not for this article to delve into). If you want a little example, watch this snippet from Mr. Robot (an excellent show displaying very realistic hacking).

The Accept or Decline method, while more efficient and straightforward, could be open to unknown access. The way it works is simple, as soon as you enter the correct password it sends a request to your mobile device. You then press “Accept” or “Decline”. Accept grants access, Decline doesn’t. Easy right? The issue is in the end user. Most of the time users will know that they’re logging in and will accept the request. But what happens when a request comes through when they aren’t logging in?

Common sense would say you “Decline” that request and change your password as there’s a chance you’ve been compromised. However there is a chance people will blindly accept the request (because of habit, or because they think it’ll ruin workflow if they decline) and then the hackers in. They won’t know for many days, weeks or months that a hacker got in and got information, because that oddly timed request may never appear again.

Finally the text message and call. Spoofing mobile numbers isn’t as hard as one would think. We live in a digital age where everything is connected. Unfortunately this means that there’s a real possibility to grab text messages and calls from another number in real time. Now this requires a bit of work from the hackers, and most likely won’t be used on you unless you’re a large target, but this is the least secure of the bunch. Again, not going into details of the how on this article, this is all we’ll say on the matter. Not many people use these options anyway.

Assess your VPN connection and the way you access it from outside of your network. Do you use 2FA? If not, should you use it? The answer should be yes. It’s not a large burden on anyone once they understand how to use it, and setup (depending on how you connect and what access point you may be using) shouldn’t be a hassle large enough to outweigh the potential threat. Look into it. You won’t regret it.

Remote Access Applications

 Easy, straight-forward, and efficient. What’s not to love?

A lot unfortunately. No, that’s not true, they are very easy to use and very efficient. But a lack of strong authentication (one password?) and sometimes an un-encrypted connection can spell disaster. And what if someone already has control over the computer you’re using to access it? What then? Well you’ve just surrendered control over all your company data to the unknown.

Now, it’s not all bad. There are options to alleviate the underlying issues. Firstly is through an encrypted VPN connection (like one with a strong password and 2FA, for example). Connect to that first, and then through the VPN connection you can then use a Remote Desktop Service to connect to your workstation. It’s not perfect, something you’ll hear a lot of in Cyber Security because the avenues of attack stretch very wide, but it’s better than nothing by far.

Or you could use systems like Citrix, which employ an encrypted channel through their own use of password policies and 2FA. Look around, and don’t be afraid to ask professionals for opinions. It may just save you in the future.

Password Policy 

My password….my password….I wrote it down on a post-it note somewhere, where did it go?

Ah yes, it was “Emily1995”. after my daughter and her birth year! It’s so easy to remember.

Yes, the unfortunate reality of modern day passwords. That’s not without fault however, I mean how else can you remember individual passwords for every Social Media account you hold?! Google, Facebook, Twitter, Instagram….the list goes on! You could write it down in a word document or on a piece of paper, that could help you. But is it safe? If it’s in the privacy of your own home, and you have nothing to hide, then okay fair dinkum. But if it’s on your desk at your office, where one password is the gate between you and all your company data and information? That’s a different story.

Before I go on about password complexity and password policies. It should be noted that it’s really hard to remember your passwords, we all fall victim to it more often than not, and we’re still trailing secure ways to remember the variety of complex passwords that we have for ourselves. If you want some examples of systems you can look into, here they are;

Strictly speaking from a business stand-point (ignoring all unnecessary passwords like Social Media etc.) it shouldn’t be too hard for your employee’s to individually remember one or two “complex” passwords. Below are some tips on that;

  • Use a short phrase of some sort. It should consist of somewhere between three to five words, and something odd but easy to remember, like “hand sanitizer is bad”. Which it isn’t by the way, please maintain good hand hygiene;
  • Add in some capitalization: “HandSANITIZERisBaD” is one example;
  • Bring in numbers, a common thing is to replace letters with numbers, but don’t be afraid to add them in the beginning or the end, or inbetween! “H4ndSAN1TIZERisBaD67”;
  • And finally, some “special characters”. These are usually “!, @, #, $, ?, -, _” and so on. So finally we end up with: “H4nd$AN1TIZERisBaD67!!?”.

Not the greatest example, and you can mess around with anything and maybe reduce complexity a bit. But the idea is there. These types of passwords make it easier to remember, whilst also increasing complexity for hackers to break. You can use random password generators too, but they’re usually very hard to remember. There are two common methods that hackers use to break passwords; Brute Force, and Social Engineering.

Brute Force is as it sounds, constantly just spamming your password entry with a random assortment of words, numbers and symbols until they get the right combination.

Social Engineering is either done in person, or creating a persona of you. Understanding your basic information like date or birth, place born, graduation date, hometown etc. And creating passwords out of combinations of these things. That “Emily1995” example at the beginning of this section? That would easily be cracked with Social Engineering, and would most likely only take a few attempts if the hacker got a hold of your family member information (pets included!).

Final Comments

Cyber Security runs far and wide, and is an ever growing area in Information Technology as we push forward as a species and become more connected. This article only scratches the surface of what can be done, and is only aimed at giving advice to those who are unfamiliar with it.

A disclaimer is that none of these options will guarantee your business total security. However if implemented will definitely strengthen your businesses standing. One of the greatest weaknesses of any business, small or large, are it’s employee’s. Good employee training and understanding of cyber security and good habits can be invaluable to any business and should be heavily considered when looking into induction training’s.

We hope you are all doing well in these surreal times of COVID-19, and wish you and your business all the best.

If you wish to contact us about Cyber Security and your business’s needs, feel free to contact us here or call (09) 262 3878.

Thank you for reading, and stay safe.